Mebroot: The Stealthiest Rootkit in the Wild?

By Brian Prince |
Posted 2009-04-15

Malware writers have added new moves to the notorious Mebroot rootkit.

The malware also goes by the name Sinowal and Torpig, and made
headlines late last year when EMC's RSA
security division found a trove of financial data stolen by attackers. Now,
security vendors say a new variant has been armed with functionality
designed to cloak it as it spreads through drive-by downloads and by
exploiting a recent Adobe
Reader and Acrobat vulnerability.

"This
is the stealthiest rootkit in the wild today," Jacques Erasmus, director of
research at Prevx, told eWEEK. "There are proof-of-concept rootkits that are
more stealthy, but in terms of them being able to be implemented for mainstream
use, that is still a very long way off."

Once on your Windows PC, Mebroot delivers a payload that can record
keystrokes, sniff HTTP and HTTPS Post requests, and inject arbitrary HTML into
Websites, particularly banking sites. But according to security vendors, what's
really new is how Mebroot infects a system. According to researchers at Prevx,
Mebroot no longer hooks into the disk.sys driver, but checks to see what lower
device \Device\Harddisk0\DR0 is attached to and then hooks the relative driver.

"If the lower driver to which the device is attached is atapi.sys, then
atapi.sys will be hooked," a Prevx researcher explained in a blog post. "If the
lower driver is acpi.sys, then that driver will be attacked. ... This is why
you can get different results from pc to pc, and from a pc and a virtual
machine like VMware."

In this new version, the malware authors also fixed a bug that had
previously made it easier to detect anomalies with the master-boot-record,
said Andreas Baumhof, CTO for TrustDefender.

He added that after the initial infection, Mebroot is never present as a
file on the hard drive. It gets injected into various kernel drivers during the
boot-up procedure and is finally injected into services.exe and svchost.exe.
Then it will through IAT compromise all processes to get access to the internal
data, he said.

"So altogether, Mebroot is not visible as a kernel driver, not visible as a
usermode process, [and] if you scan your hard drive, nothing is found," he
said, adding however that two executables are executed at the time of the
initial infection and will be present on the hard drive for a short period in
the temp directory.

Prevx has added functionality into its new tool, Prevx 3.0, to help
organizations deal with the threat. TrustDefender has done the same with its
own tool, and has also posted manual
detection and removal instructions here. According to researchers at
Symantec and TrustDefender, infections of the new variant do not appear to
be extremely widespread at the moment.

"We have seen it 'popping up' on a small amount of servers, and now it
almost disappeared again; however, we all know that it won't take too long
before it will reappear again," Baumhof said. "In my
opinion, these guys know the workings of the security industry in very much
detail, and they don't want to run the risk of infecting too many computers, for
example, to be included in an MSRT, or to face a global targeted alliance
against them-as seen, for example, with conficker.c."